Analysis of signature wrapping attacks and countermeasures

2009 IEEE International Conference on Web Services, ICWS 2009

Volumn , Issue , 2009, Pages 575-582

  Gajek, Sebastian ^a   Jensen, Meiko ^a   Liao, Lijun ^a   Schwenk, Jörg ^a  

^a RUHR UNIVERSITY BOCHUM   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

DIGITAL SIGNATURE; NEW SOLUTIONS; SIGNATURE VERIFICATION; SOAP MESSAGES; SUBTREES;

WEB SERVICES;

EID: 70449469222     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ICWS.2009.12     Document Type: Conference Paper

References (20)

1. Security in a Web Services World: A Proposed Architecture and Roadmap, April 7, 2002. http://www.ibm.com/developerworks/library/specification/ws- secmap/.
2. A. Nadalin, C. Kaler, R. Monzillo, and P. Hallam- Baker (Editor). Web services security: SOAP message security 1.1, Nov. 2006.
3. M. Bartel, J. Boyer, B. Fox, B. LaMacchia, and E. Simon. XML-signature syntax and processing, Feb. 2002.
4. th International Conference on Data Engineering (ICDE03), 2003.
5. A. Benameur, F. A. Kadir, and S. Fenet. XML Rewriting Attacks: Existing Solutions and their Limitations. In IADIS Applied Computing 2008. IADIS Press, Apr. 2008.
6. Berglund, S. Boag, D. Chamberlin, M. F. Fernandez, M. Kay, J. Robie, and J. Simon. XML path language (XPath), version 2.0, Jan. 2007.
7. th ACM conference on Computer and communications security, pages 268-277, 2004. (Pubitemid 40338208)
8. J. Boyer, M. Hughes, and J. Reagle. XML-signature xpath filter 2.0, Nov. 2002.
9. J. Callas, L. Donnerhacke, H. Finney, and R. Thayer. OpenPGP message format, Nov. 1998.
10. A. Ekelhart, S. Fenz, G. Goluch, M. Steinkellner, and E. Weippl. Xml security - a comparative literature review. J. Syst. Softw., 81(10):1715-1724, 2008.
11. S. Gajek, L. Liao, and J. Schwenk. Breaking and fixing the inline approach. In SWS '07: Proceedings of the 2007 ACM workshop on Secure web services, pages 37-43, New York, NY, USA, 2007. ACM.
12. G. Gou and R. Chirkova. Efficient algorithms for evaluating xpath over streams. In SIGMOD '07: Proceedings of the 2007 ACM SIGMOD international conference on Management of data, pages 269-280, New York, NY, USA, 2007. ACM.
13. B. Kaliski. PKCS#7: Cryptographic message syntax standard, version 1.5, Mar. 1998.
14. M. McIntosh and P. Austel. XML signature element wrapping attacks and countermeasures. In Workshop on Secure Web Services, 2005.
15. M. McIntosh, M. Gudgin, K. S. Morrison, and A. Barbir. Basic security profile version 1.0. Web Services Interoperability Organization Deliverables, 2007.
16. A. Nadalin, C. Kaler, R. Monzillo, and P. Hallam- Baker. Web Services Security: SOAP Message Security 1.1 (WS-Security 2004). OASIS Standard, 2006.
17. D. Olteanu, T. Furche, and F. Bry. An efficient singlepass query evaluator for xml data streams. In SAC '04: Proceedings of the 2004 ACM symposium on Applied computing, pages 627-631, New York, NY, USA, 2004. ACM.
18. M. A. Rahaman, R. Marten, and A. Schaad. An inline approach for secure soap requests and early validation. OWASP AppSec Europe, 2006.
19. M. A. Rahaman and A. Schaad. Soap-based secure conversation and collaboration. In ICWS, pages 471-480, 2007.
20. M. A. Rahaman, A. Schaad, and M. Rits. Towards secure soap message exchange in a soa. In Workshop on Secure Web Services, 2006.